Previous Topic: Diagnose Code Protection (DIAGNOSE keyword)Next Topic: Program Protection

Securing ResourcesVM Protection ExamplesDial Protection

Dial Protection

CA Top Secret performs a security check for any VM user ID that has been defined to it. Any user who tries to DIAL a defined ID will find his request cleared by CA Top Secret. DIAL access is secured by using the VMDIAL keyword along with the TSS PERMIT command. For example:

TSS PERMIT(USER02) VMDIAL(USERA,USERB,USERC)

allows USER02 to dial to users USERA, USERB and USERC. Once a VMDIAL resource is owned, any ACID dialing those machines will be prompted for ACID and password. Furthermore, the ACID he provides must already be PERMITted to dial the given virtual machine.

Note: The ACID does not have to be defined in the VM directory, only in the Security File. CA Top Secret can provide security for users who do not have a VM user id.

You can also specify to which line in the virtual machine the ACID may dial. This is done by appending the line number to the end of the VMDIAL operand. For example:

TSS PERMIT(USER02) VMDIAL(USERA.002(G))

forces USER02 to dial into USERA’s virtual machine GRAF devices 0020 through 002F.

Note: The Security Validation Algorithm treats VMDIAL resources differently depending on whether or not the user includes a specific line on the dial command. If the user does specify a line (‘D USERA 0020’), Top Secret interprets the resource requested to be VMDIAL (USER 0020). To be allowed access to this resource, a user should be permitted to it explicitly or by a generic permit, as in the following examples:

TSS PERMIT(USER02) VMDIAL(USERA.0020)
TSS PERMIT(USER02) VMDIAL(USERA.002(G))
TSS PERMIT(USER02) VMDIAL(USERA(G))

Because VMDIAL is a NONGENERIC resource, a permit to VMDIAL(USERA) will not allow access to VMDIAL(USERA.0020). By contrast, if the user does not include a line number in the dial command (‘D USERA’), then the requested resource is considered to be VMDIAL(USERA), and a permit to VMDIAL(USERA) would grant access to this resource. Because of the different ways in which a user can issue a dial command, administrators should exercise great care in defining permissions to a VMDIAL resource.